1. Field of the Invention
The present invention relates to server-oriented programmed apparatus and method for managing a user session on a network where user application connections are not maintained. More particularly, the present invention relates to a token validation apparatus and method that is transparent to the user and client application and is operable with any internet client.
2. Description of Related Art
One technique for conducting important transactions on a public network is to require that a user submit user identity information and a password with every page or form submitted to a server computer at an institution. This may be repetitive and tiresome to a user. Further, the more often that these important values are communicated, the more exposed they become to attack and therefore it is desirable to minimize the number of times that they must be entered and transmitted.
Another known technique for conducting important transactions on a public network includes securing the client or user terminal and encrypting all important messages. A difficulty with securing the client is that many of them are open architecture personal computers which, unlike an automatic teller machine, can not be secured. Further difficulty arises because new browser programs are being made available to the public all the time and a financial institution, for example, can not control the features of these programs beyond the basic standards already being observed. Most of these browser programs store pages in memory and allow scrolling back and forth. Many of these browser programs also allow a page or form received from a financial institution to be stored on disk for future reference. The existence of such pages on an unsecured personal computer, for example at a public library, may allow the next user to recover such information with minimal hacker knowledge and submit the page in a replay mode, pretending to be the authorized user. If the page has been stored on disk, it can be recovered at a later time even if the computer has been turned off.
The use of encryption as described in U.S. Pat. No. 5,416,842 is implemented in many server programs and client browser programs in the form of the secure socket layer (SSL). This method by itself does not provide secure session continuity at an unsecured. terminal over the sequential presentation and submission of a number of pages of a multi-page session as provided by the instant invention but only provides protection against those who would attack the communication network.
U.S. Pat. No. 5,237,614 describes a system based upon limiting access by a user to a client at a user location and then relies on encryption to protect the session and provide continuity over the series of pages presented to the user and submitted by the user. This system requires that specialized client software and hardware must be provided at each user location which the instant invention does not require.
The present invention overcomes these inadequacies, problems and disadvantages of the prior art by means of the apparatus and method of the invention which is summarized below.